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Abstract. Software security can be ensured by specifying and verifying secu- 
rity properties of software using formal methods with strong theoretical bases. 
In particular, programs can be modeled in the framework of lambda-calculi, and 
interesting properties can be expressed formally by contextual equivalence (a.k.a. 
observational equivalence). Furthermore, imperative features, which exist in most 
real-life software, can be nicely expressed in the so-called computational lambda- 
calculus. Contextual equivalence is difficult to prove directly, but we can often use 
logical relations as a tool to establish it in lambda-calculi. We have already de- 
fined logical relations for the computational lambda-calculus in previous work. 
We devote this paper to the study of their completeness w.r.t. contextual equiva- 
lence in the computational lambda-calculus. 



1 Introduction 

Contextual equivalence. Two programs are contextually equivalent (a.k.a. observa- 
tionally equivalent) if they have the same observable behavior, i.e. an outsider cannot 
distinguish them. Interesting properties of programs can be expressed using the notion 
of contextual equivalence. For example, to prove that a program does not leak a secret, 
such as the secret key used by an ATM to communicate with the bank, it is sufficient to 
prove that if we change the secret, the observable behavior will not change 1 18 311911 : 
whatever experiment a customer makes with the ATM, he or she cannot guess infor- 
mation about the secret key by observing the reaction of the ATM. Another example is 
to specify functional properties by contextual equivalence. For example, if sorted is a 
function which checks that a list is sorted and sort is a function which sorts a list, then, 
for all list I, you want the expression sorted(sort(/)) to be contextually equivalent to the 
expression true. Finally, in the context of parameterized verification, contextual equiv- 
alence allows the verification for all instantiations of the parameter to be reduced to the 
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verification for a finite number of instantiations (See e.g. [6| where logical relations are 
one of the essential ingredients). 

Logical relations. While contextual equivalence is difficult to prove directly because 
of the universal quantification over contexts, logical relations [ 15 8 1 are powerful tools 
that allow us to deduce contextual equivalence in typed A-calculi. With the aid of the 
so-called Basic Lemma, one can easily prove that logical relations are sound w.r.t. con- 
textual equivalence. However, completeness of logical relations is much more difficult 
to achieve: usually we can only show the completeness of logical relations for types up 
to first order. 

On the other hand, the computational A-calculus [10] has proved useful to define 
various notions of computations on top of the A-calculus: partial computations, ex- 
ceptions, state transformers, continuations and non-determinism in particular. Moggi's 
insight is based on categorical semantics: while categorical models of the standard A- 
calculus are cartesian closed categories (CCCs), the computational A-calculus requires 
CCCs with a strong monad. Logical relations for monadic types, which are particularly 
introduced in Moggi's language, can be derived by the construction defined in [2 1 where 
soundness of logical relations is guaranteed. 

However, monadic types introduce new difficulties. In particular, contextual equiv- 
alence becomes subtler due to the different semantics of different monads: equivalent 
programs in one monad are not necessarily equivalent in another! This accordingly 
makes completeness of logical relations more difficult to achieve in the computational 
A-calculus. In particular the usual proofs of completeness up to first order do not go 
through. 

Contributions. We propose in this paper a notion of contextual equivalence for the 
computational A-calculus. Logical relations for this language are defined according to 
the general derivation in [ 2 1 . We then explore the completeness and we prove that for the 
partial computation monad, the exception monad and the state transformer monad, logi- 
cal relations are still complete up to first-order types. In the case of the non-determinism 
monad, we need to restrict ourselves to a subset of first-order types. As a corollary, we 
prove that strong bisimulation is complete w.r.t. contextual equivalence in a A-calculus 
with monadic non-determinism. 

Not like previous work on using logical relations to study contextual equivalence 
in models with computational effects 11611311 Q , most of which focus on computations 
with local states, our work in this paper is based on a more general framework for 
describing computations, namely the computational A-calculus. In particular, very dif- 
ferent forms of computations like continuations and non-determinism are studied, not 
just those for local states. 

Plan. The rest of this paper is structured as follows: we devote Section [2] to prelimi- 
naries, by introducing basic knowledge of logical relations in a simple version of typed 
A-calculus; then from Section [3] on, we move to the computational A-calculus and we 
rest on a set-theoretical model. In particular, Section [3~4l sketches out the proof scheme 



of completeness of logical relations for monadic types and shows the difficulty of get- 
ting a general proof; we then switch to case studies and we explore, in Section [4] the 
completeness in the computational A-calculus for a list of common monads: partial 
computations, exceptions, state transformers, continuations and the non-determinism; 
the last section consists of a discussion on related work and perspectives. 

2 Logical relations for the simply typed A-calculus 

2.1 The simply typed A-calculus \~~* 

Let A~* be a simple version of typed A-calculus: 

Types: r, r', ... ::= b | r — > t' 
Terms: t,t', ... ::= x \ c \ Xx • t \ tt' 

where b ranges over a set of base types (booleans, integers, etc.), c over a set of constants 
and x over a set of variables. We write t[u/x] the result of substituting the term u for free 
occurrences of the variable x in the term t. Typing judgments are of the form fh(:r 
where r is a typing context, i.e. a finite mapping from variables to types. We say that 
x : t is in r whenever r(x) — r. We write F,x : t for the typing context which agrees 
with r except that it maps x to r. Typing rules are as standard. We consider the set 
theoretical semantics of \~~ \ The semantics of any type r is given by a set [r]. Those 
sets are such that \t — > t'J is the set of all functions from [r] to [r'J, for all types r 
and t'. A r- environment p is a map such that, for every x : t in r, p(x) is an element 
of [t]. We write p[x := a] for the environment which agrees with p except that it maps 
x to a. We write [x := a] for the environment just mapping x to a. Let t be a term such 
that r h t : t is derivable. The denotation of t, w.r.t. a P-environment p, is given as 
usual by an element of [r]. We write [£] instead of lijp when p is irrelevant, e.g., 
when t is a closed term. When given a value a € [r], we say that it is definable if and 
only if there exists a closed term t such that h f : r is derivable and a = [t] . 

Let Obs be a subset of base types, called observation types, such as booleans, 
integers, etc. A context C is a term such that x : r h C : o is derivable, where o 
is an observation type. We spell the standard notion of contextual equivalence in a 
denotational setting: two elements a\ and 02 of [r], are contextually equivalent (written 
as ai ~ T 0,2), if and only if for any context C such that x : r h C : o (o G Obs) is 
derivable, [[C][a; := ai] = [[C][x := 02]. We say that two closed terms ii and £2 of 
the same type r are contextually equivalent whenever [£]J « T [ta]. Without making 
confusion, we shall use the same notation w T to denote the contextual equivalence 
between terms. We also define a relation ~ T : for every pair of values 01, G [r], 
ai ~r 02 if and only if 01, &2 are definable and a\ w T 02- 

2.2 Logical relations 

Essentially, a (binary) logical relation [8] is a family {7Z T ) T typc of relations, one for 
each type r, on [r] such that related functions map related arguments to related re- 
sults. More formally, it is a family {1Z T ) T t of relations such that for every fx, f% E 



It - r'l 

fi Hr^r' h Voi,a 2 e [r] . ai 7£ T a 2 /i(ai) 7£ T ' / 2 (a 2 ) 

There is no constraint on relations at base types. In \~~ \ once the relations at base types 
are fixed, the above condition forces (1Z T ) T typc to ^ e uniquely determined by induction 
on types. We might have other complex types, e.g., products in variations of X~ \ and 
in general, relations of these complex types should be also uniquely determined by 
relations of their type components. For instance, pairs are related when their elements 
are pairwise related. A unary logical relation is also called a logical predicate. 

A so-called Basic Lemma comes along with logical relations since Plotkin's work 
|fT31l . It states that if r h t : t is derivable, p±, p 2 are two related /^-environments, and 
every constant is related to itself, then [tjpi 1Z T \t\p2- Here two /^-environments p\, 
P2 are related by the logical relation, if and only if p\ (x) 1Z T p 2 (x) for every x : t 
in r, Basic Lemma is crucial for proving various properties using logical relations [8 1. 
In the case of establishing contextual equivalence, it implies that, for every context C 
such that x : r h C : o is derivable (o G Obs), [C][x := Oi] 1Z [C][x := a 2 ] for 
every pair of related values a 1; a 2 in [r]. If 7Z is the equality, then [C][sc := ax] = 
JC][.x := a 2 ], i.e., a% w T a 2 . Briefly, for every logical relation (1Z T ) T typo such that 
7Z is the equality for every observation type o, logically related values are necessarily 
contextually equivalent, i.e., 1Z T C w r for any type r. 

Completeness states the inverse: a logical relation (1Z r ) T typc is complete if every 
contextually equivalent values are related by this logical relation, i.e., w T C 7?. T for 
every type r. Completeness for logical relations is hard to achieve, even in a simple 
version of A-calculus like X~ \ Usually we are only able to prove completeness for 
types up to first order (the order of types is defined inductively: ord(£>) = for any base 
type b; ord(r — > r') = max(ord(r) + 1, ord(r')) for function types). The following 
proposition states the completeness of logical relations in X~ \ for types up to first order: 



Proposition 1. There exists a logical relation (TZ T ) T typef or ^~ '> partial equality 
on observation types, such that if ' h t\\T and h t 2 : r are derivable, for any type r up 
to first order, t\ ~ T i 2 pi] 1Z T [t 2 ]. 

Proof. Let (1Z T ) T t ypc be the logical relation induced by IZb = at every base type b 
and we show that it is complete for types up to first order. 

The proof is by induction over r. Case t — bis obvious. Let r = b — > t' . Take two 
terms t\, t% of type b — > r' such that ft\] and p 2 ] are related by w b ^ T /. Let f\ — ftxj 
and / 2 = [t 2 J. Assume that ai, a 2 S 16] are related by 7?-b, therefore ax ~b a 2 since 
TZb = ~6' Clearly, ax and a 2 are thus definable, say by terms ui and u 2 , respectively. 
Then, for any context C such that i:r'hC:o(o£ Obs) is derivable, 

lC][.x : =/x( ai )] 
= [C[x«i/x]][x := /i] (since ai = [ux]) 
= [C[afiii/a;]l[a; := / 2 ] (since /x w h ^ T ' / 2 ) 
= IC][x : =/ 2 ( ai )] 

= [C[* 2 a:/ar]] [a: := oi] (since f 2 = p 2 ]) 
= IC[t 2 x/x]][a; := a 2 ] (since ai a 2 ) 
= [C][a!:=/ a (o2)]. 



Hence /i(ai) ~ T ' fii^)- Moreover, fi(a\) and /2O22) are therefore definable by t\Ui 
and t2"2 respectively. By induction hypothesis, /i(ai) 7\L T ' /2(a2). Because ai and a2 
are arbitrary, we conclude that fi lZb^ T ' h- n 



Note that an equivalent way to state completeness of logical relations is to say that 
there exists a logical relation (1Z T ) T typc which is partial equality on observation types 
and such that, for all first-order types r, ~ T C TZ T . 

3 Logical relations for the computational A-calculus 
3.1 The computational A-calculus Xcom P 

From the section on, our discussion is based on another language — Moggi's compu- 
tational A-calculus. Moggi defines this language so that one can express various forms 
of side effects (exceptions, non-determinism, etc.) in this general framework [10|. The 
computational A-calculus, denoted by Xcomp, extends A^: 

Types: r, r', ... ::— b | r — ► r' | Tr 

Terms: t, t' , ... ::= x \ c \ Xx ■ t \ tt' \ val(i) | let x <^ t in t' 

An extra unary type constructor T is introduced in the computational A-calculus: intu- 
itively, a type Tr is the type of computations of type r. We call Tr a monadic type in 
the sequel. The two extra constructs val(i) and let x <^ t in t' represent respectively 
the trivial computation and the sequential computation, with the typing rules: 

r h t : t rht-.Tr r, x : r h t' : Tr' 

r h val(t) : Tr f h let i <^ t inf : Tr' 

Note that the let construct here should not be confused with that in PCF: in \comp, 
we bind the result of the term t to the variable x, but they are not of the same type — t 
must be a computation. 

Moggi also builds a categorical model for the computational A-calculus, using the 
notion of monads [ 10]. Whereas categorical models of simply typed A-calculi such as 
A^ are usually cartesian closed categories (CCCs), a model for Xcomp requires addi- 
tionally a strong monad (T, r/, /i, t) be defined over the CCC. Consequently, a monadic 
type is interpreted using the monad T: JTr] = Tjr], and each term in Ac omp has a 
unique interpretation as a morphism in a CCC with the strong monad 11101 . Semantics 
of the two additional constructs can be given in full generality in a categorical setting 
ifTUll : the denotations of val construct and let construct are defined by the follwoing 
composites respectively: 

[r h val(i) : Tr] : [P] [r] ^ T[r], 

ir h let x <= t x in t 2 : Tr'] : [rj AW^t^ [r] x t[t] ^ x ^ 

^^ TT[r']^T[r1. 



In particular, the interpretation of terms in the computational A-calculus must satisfy 
the following equations: 

[let x 4= val(ti) in t 2 jp = [t 2 [*i/:r]Jp, (1) 

[let X2 <= (let x\ <= ti in t 2 ) in t^lp = [let x\ t\ in let X2 <= ta in taJrfP) 

[let .t t in val(x)]p = [*]p. (3) 

We shall focus on Moggi's monads defined over the category Set of sets and func- 
tions. Figure [TJlists the definitions of some concrete monads: partial computations, ex- 
ceptions, state transformers, continuations and non-determinism. We shall write Xf Et < A 



to refer to A 
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where the monad is restricted to be one of these five monads. 
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Fig. 1. Concrete monads defined in Set 





The computational A-calculus is strongly normalizing [1|. The reduction rules in 
A comp are called /3c-reduction rules in [ 1|, which, apart from standard /3-reduction in 
the A-calculus, contains especially the following two rules for computations: 

let x <^ val(ti) in ti — >p c t2[ti/x], (4) 
let X2 (let X\ 4= ti in t%) in t — >p c let x± t\ in (let x 2 <= t% in t).(5) 

With respect to the (3c rules, every term can be reduced to a term in the /Jc-normal form. 
Considering also the following inequality rule for monadic types |T): 



let x <= t in t'[val(x)/x'} = v t'[t/x'}, 



(6) 



we can write every term of a monadic type in the following /Jc-normal 77-long form 

let x\ <= diUn ■ ■ ■ itu-j in • ■ • let x n d n u n i ■ ■ ■ u n k n in val(it), 

where n — 0, 1, 2, . . ., every d% (1 < i < n) is either a constant or a variable, u and 
Uij (1 < z < 7T-, 1 < j < kj) are all /3c-normal terms or /3c-normal-^-long terms (of 
monadic types). In fact, the rules (J4][6j just identify the equations (Q]|3|l respectively. 

Lemma 1. For every term t of type Tr in Xcomp, there exists a (3c-normal-rj-long 
term t' such that \t'\p — \t\p, for every valid interpretation JJp (i.e., interpretations 
satisfying the equations (OB,). 

Proof. Because the computational A-calculus is strongly normalizing, we consider the 
/3c-normal form of term t and prove it by the structural induction on t. 

- If i is either a variable, a constant or an application, according to the equation (|3): 

[ijp = [[let x <= t in val(x)}p. 

In particular, if t is an application t\t\, then t\ must be either a variable or a constant 
since t is /3c-normal. Therefore, the term let x •<= i in val(x) is in the /3c-normal- 
7]-long form. 

- If t is a trivial computation val(t'), by induction there is a /3c-normal-?7-long term 
t" such that {t'jp = \t"\p, for every valid p, then [val(i')]p = [val(t")]p as 
well. 

- If t is a sequential computation let x <= t\ in t2, since it is /3c-normal, ii should 
not be any val or let term — t\ must be of the form du\ ■ ■ ■ u n (n = 0, 1, 2, . . .) 
with d either a variable or a constant. By induction, there is a /3c-normal-?7-long 
term t' 2 such that ^2]/? = \t?\p, for every valid p, then \t~\p = Jlet a; <= t[ in t^]/? 
and the latter is in the /3c-normal- 77-long form. □ 

3.2 Contextual equivalence for Xcomp 

As argued in [3 1, the standard notion of contextual equivalence does not fit in the setting 
of the computational A-calculus. In order to define contextual equivalence for Acomp, 
we have to consider contexts C of type To (o is an observation type), not of type o. 
Indeed, contexts should be allowed to do some computations: if they were of type o, 
they could only return values. In particular, a context C such that x : Tr h C : o is 
derivable, meant to observe computations of type r, cannot observe anything, because 
the typing rule for the let construct only allows us to use computations to build other 
computations, never values. Taking this into account, we get the following definition: 

Definition 1 (Contextual equivalence for A comp)-In A com P , t wo values a\, 0,2 € [r] 
are contextually equivalent, written as a\ ks t a 2 , if and only if for all observable types 
o G Obs and contexts C such that x : r h C : To is derivable, [C][x := di] = 
JC][.t := a,2\. Two closed terms t\ and £2 of type r are contextually equivalent if and 
only if [ii] w r J^]- We use the same notation 

w T to denote the contextual equivalence for terms. 



3.3 Logical relations for Xcomp 

A uniform framework for defining logical relations relies on the categorical notion of 
subscones [9|, and a natural extension of logical relations able to deal with monadic 
types was introduced in [2 |. The construction consists in lifting the CCC structure and 
the strong monad from the categorical model to the subscone. We reformulate this con- 
struction in the category Set. The subscone is the category whose objects are binary 
relations (A, B,R C A x B) where A and B are sets; and a morphism between 
two objects (A, B,R C Ax B) and (A',B\R' C A' x B') is a pair of functions 
(/ : A — > A! ', g : B — > B') preserving relations, i.e. a Rb =>- f(a) R' g(b). 

The lifting of the CCC structure gives rise to the standard logical relations given in 
Section [2721 and the lifting of the strong monad will give rise to relations for monadic 
types. We write T for the lifting of the strong monad T. Given a relation R C A x B 
and two computations a G TA and b 6 TB, (a, b) G T(R) if and only if there exists 
a computation c 6 ^(i?) (i.e. c computes pairs in R) such that a = Tvri(c) and 6 = 
TiT2(c). The standard definition of logical relation for the simply typed A-calculus is 
then extended with: 

(ci,02)eftTr ( Cl ,c 2 ) ef(^ r ). (7) 

This construction guarantees that Basic Lemma always holds provided that every con- 
stant is related to itself [2 |. A list of instantiations of the above definition in concrete 
monads is also given in [2|. Figure [2] cites the relations for those monads defined in 
Figure Q] 
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Fig. 2. Logical relations for concrete monads 



We restrict our attention to logical relations (1Z T ) T t ypo such that, for any observa- 
tion type o G Obs, 1Zj is a partial equality. Such relations are called observational in 
the rest of the paper. 

Note that we require partial identity on To, not on o. But if we assume that denota- 
tion of val(_), i.e., the unit operation 77, is injective, then that 1Zj is a partial equality 
implies that TZ is a partial equality as well. Indeed, let ai 1Z 02, and by Basic Lemma, 
[val(x)][x := ai] TZ To {val(x)j[x := a 2 ], that is to say r/[ j(ai) = r?[ j(a 2 ). By in- 
jectivity of 77, a% = a 2 . 



Theorem 1 (Soundness of logical relations in Xcomp)- If (7t T ) T tyP c is an observa- 
tional logical relation, then 1Z T C « T for every type r. 

It is straightforward from the Basic Lemma. 

3.4 Toward a proof on completeness of logical relations for Xcomp 

Completeness of logical relations for Xcomp is much subtler than in A^ due to the 
introduction of monadic types. We were expecting to find a general proof following the 
general construction defined in |Z|. However, this turns out extremely difficult although 
it might not be impossible with certain restrictions, on types for example. The difficulty 
arises mainly from the different semantics for different forms of computations, which 
actually do not ensure that equivalent programs in one monad are necessarily equivalent 
in another. For instance, consider the following two programs in Xcomp' 



where both t\ and t-x are closed term. We can conclude that they are equivalent in the 
non-determinism monad — they return the same set of possible results of t\, no matter 
what results produces, but this is not the case in, e.g., the exception monad when t\ 
and ti throw different exceptions. 

Being with such an obstacle, we shall switch our effort to case studies in Section [4] 
and we explore the completeness of logical relations for a list of common monads, 
precisely, all the monads listed in FigureQ] But, let us sketch out here a general structure 
for proving completeness of logical relations in Xcomp- ^ n particular, our study is still 
restricted to first-order types, which, in Xcomp< are defined by the following grammar: 



where b ranges over the set of base types. 

Similarly as in Proposition[T]in Section [272l we investigate completeness in a strong 
sense: we aim at finding an observational logical relation (1Z T ) T t ypo such that if h 
t\ : t and h ti : r are derivable and t\ « r t^, for any type r up to first order, then 
pi] 1Z T 1*2]. Or briefly, ~ T C 1Z T , where ^ T is the relation defined in Section|2] As in 
the proof of Proposition!]] the logical relation (1Z T ) T typc will be induced by TZb = ^5, 
for any base type b. Then how to prove the completeness for an arbitrary monad T? 

Note that we should also check that the logical relation (7?. T ) T typo, induced by 
TZb = is observational, i.e., a partial equality on To, for any observable type o. 
Consider any pair (a, b) G 1Zj = T(1Z ). By definition of the lifted monad T, there 
exists a computation c G T1Z such that a = Ttti(c) and b = Ttt2(c). But 1Z = ^ C 
id| j, hence the two projections tti, tt2 ■ 1Z — > |o] are the same function, -k\ = 7T2, and 
consequently a = TVi (c) = T-k^ (c) = b. This proves that 1Zj is a partial equality. 

As usual, the proof of completeness would go by induction over r, to show ~ T C 
1Z T for each first-order type r. Cases r = b and r = b — » r' go identically as in A - *. 
The only difficult case is r = Tr', i.e., the induction step: 



let x <= t\ in let y <= t% in val(x), 
let y t% in let x <= t\ in val(x), 



b I Tr 1 I b 





(8) 



We did not find any general way to show ([8]l for an arbitrary monad. Instead, in the next 
section we prove it by cases, for all the monads in FigureQ]except the non-determinism 
monad. The non-determinism monad is an exceptional case where we do not have com- 
pleteness for all first-order types but a subset of them. This will be studied separately in 
Section 03] 

At the heart of the difficulty of showing (O, we find an issue of definability at 
monadic types in the set-theoretical model. We write def r for the subset of definable 
elements in [r], and we eventually show that the relation between defj r and def T can 
be shortly spelled-out: 

def Tr C Tdef T (9) 

for all the monads we consider in this paper. This is a crucial argument for proving 
completeness of logical relations for monadic types, but to show ©, we need different 
proofs for different monads. This is detailed in Section l4~T1 



4 Completeness of logical relations for monadic types 
4.1 Definability in the set-theoretical model of ^comp N 

As we have seen in \~~ \ definability is involved largely in the proof of completeness of 
logical relations (for first-order types). This is also the case in \ comp an d it apparently 
needs more concern due to the introduction of monadic types. 

Despite we did not find a general proof for ©, it does hold for all the concrete 
monads in Xq^^ n . To state it formally, let us first define a predicate V T on elements 
of [t], by induction on types: 



- Vb — def&, for every base type b; 

- Vj T = T(def T nV T ); 

- Vr^r' = {fe | Va e def T ,/(a) e V T >}. 



We say that a constant c (of type r) is logical if and only if r is a base type or [e] G P T . 
We then require that \comp N contains only logical constants. Note that this restriction 
is valid because the predicates Pt t and P T ^ T > depend only on definability at type r. 
Some typical logical constants for monads in Xq^^ n are as follows: 

- Partial computation: a constant Q T of type Tr, for every r. fi T denotes the non- 
termination, SO \Q T \ = -L. 

- Exception: a constant raise^ of type Tt for every type r and every exception 
e G E. raise^ does nothing but raises the exception e, so [raise!;] = e. 

- State transformer: a constant update^ of type Tunit for every state s G St, where 
unit is the base type which contains only a dummy value *. update s simply changes 
the current state to s, so for any s' G St, [update J (V) = (*, s). 

- Continuation: a constant callj: of type r — > Tbool for every r and every con- 
tinuation k G call£ calls directly the continuation k — it behaves some- 
how like "goto" command, so for any a G [r] and any continuation k' G i? bo °', 
[call*](a)(fc') = fc(a). 



- Non-determinism: a constant + T of type t — > r — ^ Tr for every non-monadic type 
t. + T takes two arguments and returns randomly one of them — it introduces the 
non-determinism, so for any 01, a 2 <E [r], [+ T ](ai, 02) = {ai,QS2}- 

We assume in the rest of this paper that the above constants are present in A^f^p^.Q 

Note that V T being a predicate on elements of [r] is equivalent to say that V T can 
be seen as subset of [r], but in the case of monadic types, Vj T (i.e., T(def r n V T )) is 
not necessary a subset of JTr] (i.e., T[r]). Fortunately, we prove that all the monads in 
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^Comn N preserves inclusions, which ensures that the predicate V is well-defined: 



Proposition 2. All the monads in ^comp N preserve inclusions: TA C TB. 

Proof. We check it for every monad in Xcon^ ■ 

- Partial computation: according to the monad definition, if A C B, then for every 

ceTA: 

ceTA c G A or c = _L c 6 B or c = _L c G TB. 

- Exception: for every element c 6 TA: 

ceTA 4=^ ce4orceE=^ceBorceE <^ c G TB. 

- State transformer: for every a G TA: 

c G TA ^> Vs G St . 7Ti(cs) G A Vs G 5i . tti(cs) G B <^ c £ TB. 

- Continuation: this is a special case because apparently TA = R rA is not a subset of 
TB = B fl , since they contain functions that are defined on different domains, but 
we shall consider here the functions coinciding on the smaller set A as equivalent. 
We say that two functions f% and /2 defined on a domain B coincide on A (A C B), 
written as /1 \a — /2U, if an d only if f° r every x G A, /i(a;) = /2(x). Then for 
every c G TA: 

Vki,k 2 £ R B . ki = k 2 =^ fciU = k 2 \A c(fci) = c(fc 2 ), 

so c is also function from R B to B, i.e., c G TB. 

- Non-determinism: for every c G TA: 

c G TA Vaec.aeA=^Va6c.aeB c G TB. □ 

Introducing such a constraint on constants is mainly for proving (|9). Let us figure 
out the proof. Take an arbitrary element c in defj T - By definition, there exists a closed 
term t of type Tr such that [£] = c. While it is not evident that c G Tdef T , we are ex- 
pecting to show that [t] G Tdef T , by considering the /3c-normal-?7-long form of t, since 



1 It is easy to check that each of these constants is related to itself, except call* for continua- 
tions. However, we still assume the presence of call* for the sake of proving completeness, 
while we are not able to prove the soundness with it. Note that Theorem[T]and Theorem[2]still 
hold, but they are not speaking of the same language. 



Acomp is strongly normalizing, Take the partial computation monad as an example, 
where Tdef T = def T U {_L}. Consider the /3c-normal-?7-long form of t: 

let x\ <= d\Uu ■ ■ ■ Uifej in • • • let x n <= d n u n \ ■ ■ ■ u nkn in val(u). 

We shall make the induction on n. It is clear that ft} G Tdef T when n = 0. For 
the induction step, we hope that the closed term d\Uu ■ • ■ «ifci (of type Tn) would 
produce either _L (the non-termination), or a definable result (of type n) so that we can 
substitute x\ in the rest of the normal term with the result of d\U\\ ■ ■ ■ u\ kl and make 
use of induction hypothesis. The constraint on constants helps here: to ensure that after 
the substitution, the resulted term is still in the proper form so that the induction would 
go through. 

The following lemma shows that for every computation term t, [i] G Tdef T if t is 
in a particular form, which is a more general form of /3c-normal-?7-long form. 

Lemma 2. In ^c^>mj> N < M e Tdef T , for every closed computation term t (of type Tt) 
of the following form: 

t = let X\ tiwn ■ ■ ■ Wik 1 in • • • let x n <= t n w n i ■ • ■ w n k n in val(u>), 

where n = 0, 1, 2, . . . and ti (1 < i < n) is either a variable or a closed term such that 
VdU}) holds, and w, Wij (1 < i < n, 1 < j < ki) are valid X^^ N terms. 

Proof. We prove it by induction on n, for every monad: 

- Partial computation (Tdef T = def T U {_!_}): if n = 0, it is clear that [t] e Tdef T . 
When n > 0, because holds (t\ must be closed), [tiWn • • "WifcJ e 
T(def Tl n V Tl ). If Ihwu ■ • • wifej = -L, then [t] = 1 g Tdef T ; otherwise, 
assume that [t^] = [titon • • • WifeJ where t[ is a closed term of type n (assuming 
that tiwn ■ ■ ■ wik 1 is of type Tn). According to the definition of V, V{\t'^\) holds. 
Let t' be another closed term: 

t' = let x 2 <= t' 2 w' 21 ■ ■ ■ w' 2k2 in • • • let x n <= t' n w' nl ■ ■ ■ w' nkn in val(io[ti/ari]), 

where t • (2 < i < n) is either t[ or ti, w'^ = Wij[t[/xi] (2 < i < n, 1 < j < ki). 
By induction, [t'J G Tdef T holds. Furthermore, 

\t'\ = [[let x 2 <= t 2 w 2 i ■ ■ ■ w 2k2 in • • • 

let x n <= t n w„i ■ ■ ■ w nkn in val(io)] [xi := [^]] 
= [let xi hwu ■ ■ ■ wi kl in • • • let x n t n w n i ■ ■ ■ w nkn in val(w)] 

= M, 

hence \t\ E Tdef T . 

- Exception (Tdef T = def T U E): if n = 0, clearly [t] e Tdef T . When n > 0, 
because P([ti]) holds, Jtnun • ■ -tui fcl ] G T(def Tl n P ri ). If [ii^ii • --wifej G 
_E, then [t] £ £ C Tdef T ; otherwise, exactly as in the case of partial computation, 
build a term t'. Similarly, we prove that ft} = ft'} G Tdef T by induction. 



State transformer (Tdef T = (def r x St) st ): when n = 0, for every s e St, 
I" 1 = M G def r hence [i] G Tdef T . When n > 0, for every s G Si, 

assume that [if] = 7r 1 ([iiwn • • -toifcjs) where if is a closed term of type n 
(assuming that iiWn • • • witj is of type Tti). According to the definition of P, 
P([tf ]) holds. Let t a be another closed term: 

t s = let x 2 <= t s 2 w s 21 ■ ■ ■ w s 2k2 in • • • let x„ <= t s n w s nl ■ ■ ■ w s nkn in val(w[i?/xi]), 

where tf (2 < i < ri) is either if or ij, ■ = ro^ [if/xi] (2 < i < n, 1 < j < hi). 
By induction, [i s ] G Tdef T holds. Furthermore, for every s 6 St, 

[t]s = [let Xi 4= ii^ii • • • wifej in • • • let x„ •<= t n w n i ■ ■ ■ w nkn in val(w)]s 
= ([let x 2 <= t 2 w 2 i ■ ■ ■ w 2k2 in • • • 

let x n <= t n w nl ■ ■ ■ w nkn in val(w)] [xi := [if \])s' 

= \t s V, 

where s' = ^([ti^n • • • toifcjs). Since [i s ] G Tdef T for every s G /Si, 7Ti([i]s) = 
tti ([i s ]s') G def T , hence [i] G Tdef T . 

Continuation (Tdef r = R R T ): we say that an element c G [Tr] = i?^ 1 1 is in 
Tdef T if and only if for every pair of continuations k\,k 2 G 

fcl|def T = h\def T ==>■ c(fci) = c(fc 2 ). 

If n = 0, [i] = A /c.fc([w]) G Tdef r . When n > 0, according to the definition of 
the continuation monad: [t] = Xk ■ [tiion • • • Wnfe n ](A;'), where 

= Aa-([let x 2 4= i 2 W2i ■ • • u>2fc 2 in • • • let x„ <*= t n w n i ■ ■ -w nkn in val(w)] [xi 

For every continuations ki,k 2 G such that k\ |d e f T = &2 |def T let 

&i = Aa-([let x 2 t 2 w 2 \ ■ ■ ■ w 2k2 in • • • let x n 4= t n w n \ ■ ■ ■ w nkn in val(w)][xi 

i = 1,2. Because [tiwn • • • witj G T(P Ti ndef Tl ),ifwecanproveA;f \r T1 ndef T1 = 
k' 2 \p Ti ndef T1 , which implies [t](fci) = [i](&2), we can conclude [i] G Tdef T . For 
every a G V Tl (~1 def Tl , let [if] = a where if is a closed term. Define another closed 
term t a : 

t" = let x 2 <= tlw a 2X ■ ■ ■ w% k2 in • • • let x n ^ t a n w a nl ■ ■ ■ w a nkn in val(«;[t?/xi]), 

where tf (2 < i < n) is either tl or i;, w?- ee i%-[if/xi] (2 < z < n, 1 < 
j < h). By induction, [i a ] G Tdef r , so fcf(a) = [i a ]fci = [i a ]fc 2 = fc 2 (a), i.e., 
K\v T1 ndef T1 = k' 2 \r T1 ndef T1 - 

Non-determinism (Tdef T = P fin (def r )): when n = 0, [t] = {[tu]} G Tdef T . 
When n > 0, for every a G [iiWn • • • WifeJ, assume that [if] = a where if is a 
closed term of type n (assuming that iiWn • • • Witj is of type Tn). According to 
the definition of P, P([if]) holds. Let t a be another closed term: 

t a = let x 2 <= t a 2 wl x ■ ■ ■ w a 2k2 in • • • let x n <= t a n w a nl ■ ■ ■ w a nkn in val(«;[tj/a;i]), 



where t\ (2 < i < n) is either t\ or U, ui° = w i3 [t^ /x{\ (2 < i < n, 1 < j < h). 
By induction, [i a ] G Tdef T holds. Furthermore, 

[t] = [let zi 4= tiwn • • • Wiky in • • • let x n <= t n w nl ■ ■ ■ w nkn in val(w)] 
= U [let x 2 <= t 2 w 2 i ■ ■ ■ w 2 k 2 in • • • 

a 6[*i] ]_ et Xn ^_ t„w n i ■ ■ ■ w n k in val(u;)] [xi := a] 

= u in 

oepil 

Because [i a ] G Tdef r holds for every a e piiun • • ■ wifcj, [f] G Tdef T . □ 



From the above lemma, we conclude immediately that for every closed /3c-normal- 
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7/-long computation term t in X^^cm with logical constants, [t] C Tdef r 



Proposition 3. defj r Q Tdef T holds in the set-theoretical model of X^^ N with 
logical constants. 

Proof. It follows from Lemma|2]by considering the /3c-normal-ry-long terms that define 
elements in [Tr] since Xcomp is strongly normalizing. □ 

4.2 Completeness of logical relations in for first-order types 

We prove (O in this section for the partial computation monad, the exception monad, 
the state monad and the continuation monad. We write Apf^ for Xcomp where the 
monad is restricted to one of these four monads. 

Proofs depend typically on the particular semantics of every form of computation, 
but a common technique is used frequently: given two definable but non-related ele- 
ments of [Tt], one can find a context to distinguish the programs (of type Tr) that 
define the two given elements, and such a context is usually built based on another 
context that can distinguish programs of type r. 

Lemma 3. Let (TZ T ) T t ypo be a logical relation in Xconip w ^ tn on ty logical constants. 
C 1Z T =>■ ~tt C 1Zj t holds for every type r. 

Proof. Take two arbitrary elements ci,c 2 G [Tt] such that (ci, c 2 ) G" 1Z Tt , we prove 
that ci t^tt c 2 for every monad in \comp' 

- Partial computation: the fact (cx, c 2 ) G' 1Z Tt amounts to the following two cases: 

• ci,c 2 G [r] but (ci, c 2 ) G' 1Z T , then c\ ^ T c 2 . If one of these two values is 
not definable at type r, by Proposition [3] it is not definable at type Tr either. 
If both values are definable at type r but they are not contextually equivalent, 
then there is a context x : r h C : To such that {Cj[x := c\] ^ [<C][x := c 2 ]. 
Thus, the context y : Tr h let x -4= y in C : To can distinguish c\ and c 2 (as 
two values of type Tr). 

• ci G [r] and c 2 = _L (or symmetrically, c\ = _L and c 2 G [r]), then the 
context let x <= y in val(true) can be used to distinguish them. 

ci t^Tt C2 in both cases. 

- Exception: the fact (ci, c 2 ) ^ 1Z Tt amounts to three cases: 



• ci, C2 G [t] but (ci, C2) G" 7?. T , then ci ^ T 02- Suppose both values are defin- 
able at type r, otherwise by Proposition [3] they must not be definable at type 
Tr. Similar as in the case of partial computation we can build a context that 
distinguishes c\ and 02 as values of type Tr, from the context that distinguishes 
ci and C2 as values of type r. 

• ci G [t] ,C2EE. Consider the following context: 

y : Tr h let x y in val(true) : Tbool. 

When j/ is substituted by c\ and C2, the context evaluates to different values, 
namely, a boolean and an exception. 

• ci , C2 G £ but ci 7^ C2. Try the same context as in the second case, which will 
evaluate to two different exceptions that can be distinguished. 

c\ ?^Tr C2 in all the three cases. 

State transformer: because (c l7 02) ^ TZtt, there exists some s G St such that 
either (iri(ciSo) , tti(c2Sq)) 7Z T . Then by induction 7Ti(cis ) ^ t ^i(c2Sq). 
If 7Ti(cjSo) (i = 1, 2) is not definable, then by Proposition[3] c; is not definable 
either. If both 7r 1 (ciSo) and^^so) are definable, but 7r 1 (ciSo) ^ T 7r i(c2So), 
then there is a context a; : r h C : To such that [C][x := 7i"i(ciSo)] ^ [Cj[a; := 
tti(c2So)]^ i- e -> f° r some state Sq G St, 

lC}[x := tti(ciS )}(s' ) ± lC}[x := m^SoWo) . 

Now we can use the following context: 

y : Tr h let x <= y in let z •<= update,,^ in C : To, 

let cc -<= y in let 2 ■<= update,,/ in C 



Let fi 

s G St 



[y := c^], then for every 



fi(s) = let z <= update,,, in C [x :— 7Ti,(cjs)](7r2(cjs)) 
[x := mias^s'o), (i= 1,2). 



/1 7^ /2> because when applied to the state sq, they will return two different 
pairs, so the above context can distinguish the two values c\ and C2; 
• or 7r 2 (ciSo) 7^ K2{c2Sq). we use the context 

y : Tr h let x <= y in val(true) : Tbool, 

then [let x <= y in val(true)] [y := Cj] = As. (true, 7r 2 (cis)) (i = 1,2). 
These two functions are not equal since they return different results when ap- 
plied to the state sq. 
In both cases, c\ c%. 

Continuation: first say that two continuations k\, hi G are IZ-related, if and 
only if for every a 1, 0,2 G [r], a\ 1Z T 0,2 ==> fci(ai) = £2(02). The fact (01,02) & 



TZj T means that there are two 7?.-related continuations k\, hz such that C\{kx) ^ 
02(^2). Because ~ T C TZ T , for every definable value a G def r , clearly, 

a ^ T a =>■ ai 7Z a-i k\(ai) = ^2(02), 

so fci and fc 2 coincide over def r . Suppose that both c x and c 2 are definable, then 
by Proposition [3] ci(fci) = 01(^2) and 02(^1) = C2(fc 2 ), hence ci(fci) ^ c 2 (fci). 
Consider the context 

y : It h let i<^j/in call* 1 (x) : Tbool. 

For every k G i?I boo| l, 

[let x «= y in call* 1 (x)] [y := c,] (fc) (< = 1, 2), 
= c 4 (Aa • ([call* 1 (a;)] [a := a]) A) 
= d(Aa • fci(a)) = Cj(fci). 

Since ci(fci) ^ 02(^1), this context distinguishes the two computations, hence 

Cl T^Tr C2. □ 

Theorem 2. In \comp> tf a ^ constants are logical and in particular, if the following 
constants are present 

— update s for the state transformer monad; 

— call* for the continuation monad, 

then logical relations are complete up to first- order types, in the strong sense that there 
exists an observational logical relation (1Z T ) T type such that for any closed terms t\, ty. 
of any type r 1 up to first order, ift\ ~ T i ti, then [ijj 7^ T i [£2]- 

Proof. Take the logical relation (1Z T ) T type induced by TZb =~6, for any base type b. 
We prove by induction on types that ~ r C 1Z T for any first-order type r. In particular, 
the induction step ^ r C 1Z T =^>^ Tr ; C 1Zj t is shown by Lemma[3] □ 



4.3 Completeness of logical relations for the non-determinism monad 

The non-determinism monad is an interesting case: the completeness of logical relations 
for this monad does not hold for all first-order types! To state it, consider the following 
two programs of a first-order type that break the completeness of logical relations: 

h val(Ax.(true +booi false)) : T(bool — > Tbool), 

h A;r.val(true) +t>ooi^Tbooi As. (true +b 00 i false) : T(bool — > Tbool). 

Recall the logical constant + r of type r — > t — > Tt: [+ T ](ai, 02) = {01,02} for 
every ax, G [t]. The two programs are contextually equivalent: what contexts can 
do is to apply the functions to some arguments and observe the results. But no matter 
how many time we apply these two functions, we always get the same set of possible 



values ({true, false}), so there is no way to distinguish them with a context. Recall 
the logical relation for non-determinism monad in Figure [2] 

Ci IZjr C2 (Vai £ c\. 3a 2 £ c 2 . ai 1Z T a 2 ) & (Va2 £ C2. 3ai £ ci. ai 1Z T 02). 

Clearly the denotations of the above two programs are not related by that relation be- 
cause the function [AiE.val(true)] from the second program is not related to the func- 
tion in the first. 

However, if we assume that for every non-observable base type b, there is an equality 
test constant test(, : b — > b — > bool (clearly, 'P(testb) holds), logical relations for the 
non-determinism monad are then complete for a set of weak first-order types: 

rl::=b\Jb\b^rl 

Compared to all types up to first order, weak first-order types do not contain monadic 
types of functions, so it immediately excludes the two programs in the above counterex- 
ample. 

Theorem 3. Logical relations for the non-determinism monad are complete up to weak 
first-order types, in the strong sense that there exists an observational logical relation 
(7t T ) T type such that for any closed terms t\,t 2 of a weak first-order type t} u , ift\ RJ T i 
t 2 , then K T i [i a ]. 

Proof. Take the logical relation 1Z induced by TZb =~&, for any base type b. We prove 
by induction on types that ~ T i C TL T \ for any weak first-order type r^. 

Cases b and b — ■> go identically as in standard typed lambda-calculi. For monadic 
types Tb, suppose that (ci, C2) $ IZjb, which means either there is a value in c\ such 
that no value of C2 is related to it, or there is such a value in C2. We assume that every 
value in c% and C2 is definable (otherwise it is obvious that ci ^jb c 2 because at least 
one of them is not definable, according to Proposition^. Suppose there is a value a £ c\ 
such that no value in c 2 is related to it, and a can be defined by a closed term t of type 
b. Then the following context can distinguish c\ and C2: 

x : Tr h let y <f= x in testb(y, t) : Tbool 

since every value in C2 is not contextually equivalent to a, hence not equal to a. □ 

Now let state and label be base types such that label is an observation type, 
whereas state is not. Using non-determinism monad, we can define labeled transition 
systems as elements of [[state — > label — > Tstate], with states in [state] and labels 
in [label], as functions mapping states a and labels I to the set of states b such that 

a — — s- b ■ The logical relation at type state — > label — > Tstate is given by J2|: 

(/l) /2) £ T^state-^label^Tstate < ^=^ 

Vai, a 2 , h, h • (ai, 0-2) £ Estate & (il, ^) £ ^label =>• 

(V&i £ /i(oi,ii) • 3b 2 £ /a (o 2 , /a) • (6i,&a) £ Estate) 

& (V6 2 £ / 2 (a 2 ,/ 2 ) • 36x £ /l(0l,il) • (61,63) £ Estate) 



In case lZ\ a b e \ is equality, fa and fa are logically related if and only if 7?. s t a te is a strong 
bisimulation between the labeled transition systems /i and fa. 

Sometimes we explicitly specify an initial state for certain labeled transition system. 
In this case, the encoding of the labeled transition system in the nondeterminism monad 
is a pair (q, f) of [state x (state — > label — » Tstate)], where q is the initial state and 
/ is the transition relation as defined above. Then (qi,fa) and (921/2) are logically 
related if and only if they are strongly bisimular, i.e., 7\L sta t e is a strong bisimulation 
between the two labeled transition systems and qi7Z st3te q2- 

Corollary 1 (Soundness of strong bisimulation). Let fa and fa be transition systems. 
If there exists a strong bisimulation between fa and fa, then fa and fa are contextually 
equivalent. 

Proof. There exists a strong bisimulation between fa and fa, therefore fa and fa are 
logically related. By TheoremQ] fa and fa are thus contextually equivalent. □ 

In order to prove completeness, we need to assume that label has no junk, in the 
sense that every value of [label] is definable. 

Corollary 2 (Completeness of strong bisimulation). Let fa and fa be transition sys- 
tems which are definable. If fa and fa are contextually equivalent and label has no 
junk, then there exists a strong bisimulation between fa and fa- 
Proof Let 1Z be the logical relation given by Theorem [3] fa and fa are definable and 
contextually equivalent, so fa 7^. s t a te^iabei^Tstate fa- Moreover, because label has no 
junk, 72.| a bei is equality. 7\L s tate is thus a strong bisimulation between fa and fa. □ 

5 Conclusion 

The work presented in this paper is a natural continuation of the authors' previous 
work M2I3II . In (2), we extend [9| and derive logical relations for monadic types which 
are sound in the sense that the Basic Lemma still holds. In (3), we study contextual 
equivalence in a specific version of the computational A-calculus with cryptographic 
primitives and we show that lax logical relations (the categorical generalization of log- 
ical relations |[T4| ) derived using the same construction is complete. Then in this paper, 
we explore the completeness of logical relations for the computational A-calculus and 
we show that they are complete at first-order types, for a list of common monads: par- 
tial computations, exceptions, state transformers and continuations, while in the case 
of continuation, the completeness depends on a natural constant call, with which we 
cannot show the soundness. 

Pitts and Stark have defined operationally based logical relations to characterize the 
contextual equivalence in a language with local store [13]. This work can be traced back 
to their early work on the nu-calculus Ifl2l which can be translated in a special version of 
the computational A-calculus and be modeled using the dynamic name creation monad 
ifTTll . Logical relations for this monad are derived in [19] using the construction from 
(21. It is also shown in |fl9l that such derived logical relations are equivalent to Pitts and 
Stark's operational logical relations up to second-order types. 



An exceptional case of our completeness result is the non-determinism monad, 
where logical relations are not complete for all first-order types, but a subset of them. 
We effectively show this by providing a counter-example that breaks the completeness 
at first-order types. This is indeed an interesting case. A more comprehensive study on 
this monad can be found in |4|, where Jeffrey defines a denotational model for the com- 
putational A-calculus specialized in non-determinism and proves that this model is fully 
abstract for may-testing. The relation between our notion of contextual equivalence and 
the may-testing equivalence remains to be clarified. 

Recently, Lindley and Stark introduce the syntactic TT-lifting for the computa- 
tional A-calculus and prove the strong normalization |7|. Katsumata then instantiates 
their liftings in Set J5). The TT-lifting of strong monads is an essentially different 
approach from that in El. It would be interesting to establish a formal relationship be- 
tween these two approaches, and to look for a general proof of completeness using the 
TT-lifting. 
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